Abstract
Threshold implementation is studied as a countermeasure against sidechannel attack. There had been no threshold implementation for the AES and Keccak S-boxes that satisfies an important property called uniformity. In the conventional implementations, intermediate values are remasked to compensate for the lack of uniformity. The remasking consumes thousands of fresh random bits and its implementation cost is a serious concern. Daemen recently proposed a 3-share uniform threshold implementation of the Keccak S-box. This is enabled by a new technique called the changing of the guards which can be applied to any invertible functions. Subsequently, Wegener et al. proposed a 4-share threshold implementation of the AES S-box based on the changing of the guards technique. However, a 3-share threshold implementation of AES S-box remains open. The difficulty stays in 2-input multiplication, used in decomposed S-box representations, which is non-invertible because of different input and output sizes. In this study, this problem is addressed by introducing a certain generalization of the changing of the guards technique. The proposed method provides a generic way to construct a uniform sharing for a target function having different input and output sizes. The key idea is to transform a target function into an invertible one by adding additional inputs and outputs. Based on the proposed technique, the first 3-share threshold implementation of AES S-box without fresh randomness is presented. Performance evaluation and simulation-based leakage assessment of the implementation are also presented.
Highlights
Cryptography can be used in a hostile environment in which an attacker has physical access to a computational device
Contributions In this study, we address the problem by introducing a certain generalization of the changing of the guards technique, which provides a generic way to construct a uniform sharing for any function
The proposed method is a generalization of the changing of the guards technique
Summary
Cryptography can be used in a hostile environment in which an attacker has physical access to a computational device. In such an environment, the attacker can obtain information leakage via physical side-channels such as execution time, power consumption, and electromagnetic radiation. Side-channel attack (SCA) introduced by Kocher et al [KJJ99] exploits such information leakage to break cryptography. New attacks and countermeasures have been studied for more than two decades. The need for countermeasures against SCA is increasing because embedded devices are increasingly used in hostile environments for the Internet of things [RSWO18]. Cryptographic computation is performed by using the shares without reconstructing the original value. IACR Transactions on Cryptographic Hardware and Embedded Systems ISSN 2569-2925, Vol 2019, No 1, pp. 123–145 DOI:10.13154/tches.v2019.i1.123-145
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
